CVE-2025-68119

Name	CVE-2025-68119
Description	Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are constructed. This issue can also be triggered by providing a malicious version string to the toolchain. On systems with Git installed, downloading and building modules with malicious version strings can allow an attacker to write to arbitrary files on the filesystem. This can only be triggered by explicitly providing the malicious version strings to the toolchain and does not affect usage of @latest or bare module paths.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	1125916, 1126770

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
golang-1.15 (PTS)	bullseye	1.15.15-1~deb11u4	vulnerable
golang-1.19 (PTS)	bookworm	1.19.8-2	vulnerable
golang-1.24 (PTS)	trixie	1.24.4-1	vulnerable
	forky	1.24.9-1	vulnerable
	sid	1.24.12-1	vulnerable
golang-1.25 (PTS)	forky	1.25.3-1	vulnerable
	sid	1.25.7-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Debian Bugs
golang-1.15	source	(unstable)	(unfixed)
golang-1.19	source	(unstable)	(unfixed)
golang-1.24	source	(unstable)	(unfixed)	1126770
golang-1.25	source	(unstable)	1.25.6-1	1125916

Notes

[bullseye] - golang-1.15 <postponed> (Limited support, minor issue, follow bookworm DSAs/point-releases)
https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc
https://github.com/golang/go/issues/77099
Fixed by: https://github.com/golang/go/commit/082365aa552a7e2186f79110d5311dce70749cc0 (go1.25.6)
Fixed by: https://github.com/golang/go/commit/73fe85f0ea1bf2cec8e9a89bf5645de06ecaa0a6 (release-branch.go1.24)